1
submitted 1 year ago by xupetas@alien.top to c/main@selfhosted.forum

Hello All,

โ€‹

I have been following the Howtos on how to connect authelia to freeipa, and can now connect an authenticate without any issue.However, if i set the filter for a particular ldap group i get permission denied.My configuration is as follows:

Authelia bit:

authentication_backend:
disable_reset_password: false

ldap:
implementation: custom
url: ldaps://ipa.net.xpto:33636
timeout: 5s
start_tls: false
tls:
server_name: ipa.net.xpto
skip_verify: true
minimum_version: TLS1.2
base_dn: dc=net,DC=xpto
username_attribute: uid
additional_users_dn: CN=users,CN=accounts
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
additional_groups_dn: OU=groups
groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: UID=authelia,CN=users,CN=accounts,DC=net,DC=xpto
password: "myveryawsomeanddificultpassword"

My configuration bit for the filters:

access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: "``auth.mysite.com``"
policy: bypass

- domain: lab.mysite.com
subject: "group:netshare_kb.mysite.com"
policy: two_factor

If i remove the subject: "group:netshare_kb.mysite.com" i can authenticate without any issue.

For the log bits:

time="2023-11-13T07:06:56Z" level=trace msg="Request hit" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Detected user filter is (&(|(uid=nuno)(mail=nuno))(objectClass=person))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing user search" attr="[uid mail displayName]" base_dn="CN=users,CN=accounts,dc=net,DC=xpto" deref=0 filter="(&(|(uid=nuno)(mail=nuno))(objectClass=person))" scope=2
time="2023-11-13T07:06:56Z" level=debug msg="Mark 1FA authentication attempt made by user 'nuno'" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Successful 1FA authentication attempt made by user 'nuno'" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Detected user filter is (&(|(uid=nuno)(mail=nuno))(objectClass=person))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing user search" attr="[uid mail displayName]" base_dn="CN=users,CN=accounts,dc=net,DC=xpto" deref=0 filter="(&(|(uid=nuno)(mail=nuno))(objectClass=person))" scope=2
time="2023-11-13T07:06:56Z" level=trace msg="Computed groups filter is (&(member=uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))"
time="2023-11-13T07:06:56Z" level=trace msg="Performing group search" attr="[cn]" base_dn="OU=groups,dc=net,DC=xpto" deref=0 filter="(&(member=uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto)(objectclass=groupofnames))" scope=2
time="2023-11-13T07:06:56Z" level=trace msg="Profile details for user 'nuno' => groups: [], emails [nuno@mysite.com]" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Check authorization of subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )."
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:56Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=1.3.5.7 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:56Z" level=debug msg="No matching rule for subject username=nuno groups= ip=1.3.5.7 and url https://lab.mysite.com/ (method ) applying default policy"
time="2023-11-13T07:06:56Z" level=debug msg="Required level for the URL https://lab.mysite.com/ is 3" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=debug msg="Redirection URL https://lab.mysite.com/ is safe" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:56Z" level=trace msg="Timing Attack Delay successful: true, exec duration: 126, avg execution duration: 1000, random delay ms: 73, total delay ms: 1073, actual delay ms: 947" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:57Z" level=trace msg="Replied (status=200)" method=POST path=/api/firstfactor remote_ip=1.3.5.7
time="2023-11-13T07:06:57Z" level=trace msg="Request hit" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Headers=GET /api/verify HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\r\nHost: lab.mysite.com\r\nX-Original-Url: https://lab.mysite.com/\r\nX-Real-Ip: 127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nX-Forwarded-Proto: https\r\nX-Forwarded-Host: lab.mysite.com\r\nX-Forwarded-Uri: /\r\nX-Forwarded-Ssl: on\r\nAccept-Encoding: gzip\r\nCf-Ray: 82552ccf681701bd-CDG\r\nCf-Visitor: {\"scheme\":\"https\"}\r\nSec-Ch-Ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Windows\"\r\nUpgrade-Insecure-Requests: 1\r\nDnt: 1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nSec-Fetch-Site: same-site\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-User: ?1\r\nSec-Fetch-Dest: document\r\nReferer: https://auth.mysite.com/\r\nAccept-Language: en\r\nCookie: authelia_session=1pajNRsjd!FqmlSKz$QZDKPTZpAGgdHR\r\nPriority: u=0, i\r\nCdn-Loop: cloudflare\r\nCf-Connecting-Ip: 1.3.5.7\r\nCf-Ipcountry: PT\r\nVia: 1.1 lab.mysite.com\r\nX-Forwarded-Server: lab.mysite.com\r\n\r\n" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Using X-Original-URL header content as targeted site URL" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Inactivity report for user 'nuno'. Current Time: 1699859217, Last Activity: 1699859216, Maximum Inactivity: 7200." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Checking if we need check the authentication backend for an updated profile for nuno." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=debug msg="Check authorization of subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )."
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:57Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/ (method )"
time="2023-11-13T07:06:57Z" level=debug msg="No matching rule for subject username=nuno groups= ip=127.0.0.1 and url https://lab.mysite.com/ (method ) applying default policy"
time="2023-11-13T07:06:57Z" level=info msg="Access to https://lab.mysite.com/ is forbidden to user nuno" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:57Z" level=trace msg="Replied (status=403)" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Request hit" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Headers=GET /api/verify HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\r\nHost: lab.mysite.com\r\nX-Original-Url: https://lab.mysite.com/favicon.ico\r\nX-Real-Ip: 127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nX-Forwarded-Proto: https\r\nX-Forwarded-Host: lab.mysite.com\r\nX-Forwarded-Uri: /favicon.ico\r\nX-Forwarded-Ssl: on\r\nAccept-Encoding: gzip\r\nCf-Ray: 82552cd0e98301bd-CDG\r\nCf-Visitor: {\"scheme\":\"https\"}\r\nSec-Ch-Ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"\r\nDnt: 1\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Windows\"\r\nAccept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: image\r\nReferer: https://lab.mysite.com/\r\nAccept-Language: en\r\nCookie: authelia_session=1pajNRsjd!FqmlSKz$QZDKPTZpAGgdHR\r\nPriority: u=1, i\r\nCdn-Loop: cloudflare\r\nCf-Connecting-Ip: 1.3.5.7\r\nCf-Ipcountry: PT\r\nVia: 1.1 lab.mysite.com\r\nX-Forwarded-Server: lab.mysite.com\r\n\r\n" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Using X-Original-URL header content as targeted site URL" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Inactivity report for user 'nuno'. Current Time: 1699859218, Last Activity: 1699859217, Maximum Inactivity: 7200." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Checking if we need check the authentication backend for an updated profile for nuno." method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=debug msg="Check authorization of subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )."
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 1 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )"
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 2 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )"
time="2023-11-13T07:06:58Z" level=trace msg="ACL MISS Position 3 for subject username=nuno groups= ip=127.0.0.1 and object https://lab.mysite.com/favicon.ico (method )"
time="2023-11-13T07:06:58Z" level=debug msg="No matching rule for subject username=nuno groups= ip=127.0.0.1 and url https://lab.mysite.com/favicon.ico (method ) applying default policy"
time="2023-11-13T07:06:58Z" level=info msg="Access to https://lab.mysite.com/favicon.ico is forbidden to user nuno" method=GET path=/api/verify remote_ip=127.0.0.1
time="2023-11-13T07:06:58Z" level=trace msg="Replied (status=403)" method=GET path=/api/verify remote_ip=127.0.0.1

โ€‹

So, it shows that i can log-on without issues, but it also appears that it cannot find the group, netshare_kb.mysite.com but the group is valid and active with-in ipa. I can see using ldapsearch that the user is also within that group:

โ€‹

dn: cn=netshare_kb.mysite.com,cn=groups,cn=accounts,dc=net,dc=xpto
cn: netshare_kb.mysite.com
description: Acesso a KB
gidNumber: 848450507
ipaUniqueID: b10d7d2e-a765-11e6-b189-02002e0f7ea7
member: uid=nuno,cn=users,cn=accounts,dc=net,dc=xpto
objectClass: ipaobject
objectClass: top
objectClass: ipausergroup
objectClass: posixgroup
objectClass: groupofnames
objectClass: nestedgroup

What am i missing? I am on the latest freeipa and authelia versions.Thanks for your help

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here
this post was submitted on 13 Nov 2023
1 points (100.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS